| Abnormal ICMP traffic | 1-ICMP |
| Abnormal TCP traffic | 1-TCP |
| Abnormal UDP traffic | 1-UDP |
| Abnormal new IP addresses arrival rate | 2 |
| Abnormal network traffic entropy value | 3 |
| SYN flood | 4-SYN |
| SYN-ACK flood | 4-SYN-ACK |
| ACK flood | 4-ACK |
| PSH - ACK flood | 4-PSH-ACK |
| FIN/RST flood | 4-FIN/RST |
| TCP-based application level protocol (e.g. HTTP) flood | 7-TCP-<protocol> |
| UDP-based application level protocol (e.g. DNS) flood | 7- UDP-<protocol> |
| "Tsunami" SYN flood | 7-TSU-<protocol> |
| "Low and Slow" attack | 9 - LS |
| TCP SYN flood from a relatively small attacking population | 1-TCP:4-SYN |
| TCP SYN-ACK flood from a relatively small attacking population | 1-TCP:4-SYN-ACK |
| TCP FIN/RST flood from a relatively small attacking population | 1-TCP:4-FIN/RST |
| TCP SYN flood from a large attacking population | 1-TCP:4-SYN:2 |
| TCP SYN-ACK flood from a large attacking population | 1-TCP:4-SYN-ACK:2 |
| TCP FIN/RST flood from a large attacking population | 1-TCP:4-FIN/RST:2 |
| TCP SYN flood from a vast attacking population | 1-TCP:4-SYN:2:3 |
| TCP SYN-ACK flood from a vast attacking population | 1-TCP:4-SYN-ACK:2:3 |
| TCP FIN/RST flood from a vast attacking population | 1-TCP:4-FIN/RST:2:3 |
| UDP flood from a large attacking population | 1-UDP:2 |
| UDP flood from a vast attacking population | 1-UDP:2:3 |
| ICMP flood from a large attacking population | 1-ICMP:2 |
| ICMP flood from a vast attacking population | 1-ICMP:2:3 |
| Application level TCP flood attack | 7-TCP-<protocol>:1-TCP |
| Application level UDP flood attack | 7-UDP-<protocol>:1-UDP |
| Application level TCP "Tsunami" flood attack | 7-TSU-<protocol>:1-TCP |